Please be warned: e-mails from Symantec, F-secure, Sophos, SecureRoot, and VeriSign (owned by Symantec) are not what they claim to be. There’s a new malicious email campaign that tries to trick you into believing you are getting an antivirus notification from your security company, supposedly warning you that your account may be blocked. What you’re really getting is malware.

Cybercriminals are using a familiar trick here: the fake messages claim your account has been sending infected emails to the mail server. To fix it, you are told to click a URL to download a free removal tool (hosted in Brazil), which is actually a malicious executable that connects to malicious websites, and downloads more malware onto your computer.

Here’s what these e-mails look like, according to Websense, which first spotted this spam campaign:

fake symantec notification email 520x377 Warning: Emails claiming to come from Symantec, F Secure, Sophos push malware

The email text contains the phrase “Scanning sytem…” but of course no scan is taking place. You are notified that your computer is infected with the worm W32.Swizzor.C-WORM but the reality is your are about to be infected with RemovalTool.exe.

This appears to be some type of obscure threat, as only 3 out of 42 security solutions on VirusTotal catch it. That malware in turn downloads and executes the following two files, in an attempt to hide itself as Oracle’s Java:

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\L92WDWXT\Plugin[1].dll
C:\Documents and Settings\Administrator\Application Data\Java Update\JavaUpdate.dll

The email may contain a subject like “[Symantec]/F-secure]/[Sophos]/[SecureRoot]/[VeriSign] – Your e-mail account may be blocked.” Please be aware that cybercriminals can easily change the subject, as well as the e-mail address the message appears to be coming from. The perpetrators have so far made it look like the emails are being sent from these email addresses:

  • scanner@symantec.com
  • scanonline@f-secure.com
  • symantec@verisign.com
  • scan@sophos.com
  • symantec@sophos.com
  • virscan@secureroot.com
  • noreply@verisign.com

The good news here is that Websense says this looks like a low-volume spam campaign one. The security firm has only blocked a few thousand of these e-mails (as opposed to a few million) in the past two days.

As a general word of caution, don’t open attachments in e-mails or click on links in them unless you are absolutely certain that the sender is who you think you are. Security companies do not send antivirus notification e-mails such as the fake ones above.

Image credit: stock.xchng